Analysis
-
max time kernel
680s -
max time network
682s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 02:17
Static task
static1
Behavioral task
behavioral1
Sample
document.07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
document.07.21.doc
Resource
win10v20210408
General
-
Target
document.07.21.doc
-
Size
69KB
-
MD5
8198d8aad8008d4b95402f749845b7a1
-
SHA1
894b40166b312ba747bd379194e00fbea438168c
-
SHA256
540f3827790f6809cec591526813a664fa4e428e49271211667940a808e70614
-
SHA512
0563fa6d5382c917a2bd2e054b25dc3f555866296ab2eeffacfafcff1e93fa6d05af0cba1004759b3a6f469232433647fda8b6e5e11f57131ce8fb1f2cfb048d
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1800 2000 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 784 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2000 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2000 WINWORD.EXE 2000 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exedescription pid process target process PID 2000 wrote to memory of 1800 2000 WINWORD.EXE cmd.exe PID 2000 wrote to memory of 1800 2000 WINWORD.EXE cmd.exe PID 2000 wrote to memory of 1800 2000 WINWORD.EXE cmd.exe PID 2000 wrote to memory of 1800 2000 WINWORD.EXE cmd.exe PID 1800 wrote to memory of 784 1800 cmd.exe mshta.exe PID 1800 wrote to memory of 784 1800 cmd.exe mshta.exe PID 1800 wrote to memory of 784 1800 cmd.exe mshta.exe PID 1800 wrote to memory of 784 1800 cmd.exe mshta.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 784 wrote to memory of 1460 784 mshta.exe regsvr32.exe PID 2000 wrote to memory of 1656 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1656 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1656 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1656 2000 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.07.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\sds.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sds.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\girlGirlBoys.jpg4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\sds.htaMD5
f8f46135633afaa03568145c8d1316c4
SHA1199c13fc844d44188a8883324c176ce422a97ca6
SHA25683a2b8f097269bd8fb5a70725a3cbfee5308300b197368308e3a5adba849111d
SHA512ee55ca0e35efaa1e5d6168cc0ce9f6d0315eb209eb1733c905cbe7fe98cd8511fa7f00e5155b0960b97c750c580104a11bc3fefc4bd31cfa049710aa604c13d5
-
\??\c:\users\public\girlGirlBoys.jpgMD5
78e3f08e416740e064779f0301d15085
SHA106cb8e53e9299f713629316f9dcc2fe4991ad1fd
SHA256eed0186dd421c6ea6e612189b746f38f23545391450227555fa2d56239de1335
SHA512582b765af71ef25c5ccb07a92f45851d8be2248d11dd51e17a643621d7a7903b9ccbc2829d32d082d94bf7c1fd18d5ab46bb02c79d90d7e0a21da44117b5a2bd
-
memory/784-67-0x0000000000000000-mapping.dmp
-
memory/1460-71-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1460-68-0x0000000000000000-mapping.dmp
-
memory/1656-72-0x0000000000000000-mapping.dmp
-
memory/1656-73-0x000007FEFC411000-0x000007FEFC413000-memory.dmpFilesize
8KB
-
memory/1800-64-0x0000000000000000-mapping.dmp
-
memory/2000-63-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2000-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2000-61-0x0000000070A41000-0x0000000070A43000-memory.dmpFilesize
8KB
-
memory/2000-60-0x0000000072FC1000-0x0000000072FC4000-memory.dmpFilesize
12KB
-
memory/2000-74-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB